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12 April 2018 


The Chief Executive 
All Stored Value Facility Licensees 


Dear Sir/Madam, 


Sanctions Screening Systems 


I am writing to reiterate some important regulatory requirements by the Hong 
Kong Monetary Authority (HKMA) in relation to sanctions compliance. Stored 
value facility (SVF) licensees are reminded to put in place adequate measures 
which are appropriate to the nature and size of businesses, to meet their 
obligations under the Hong Kong’s financial sanctions regime. It is also the 
HKMA’s regulatory requirement on SVF licensees that sanctions screening 
should be conducted for new customers and payments as well as for existing 
customers whenever new designations are published’. 


The adequacy of sanctions screening systems and controls is a supervisory 
priority for the HKMA, especially in the light of recent geopolitical 
developments. To test the effectiveness of the SVF sector in meeting sanctions 
obligations, we are planning to conduct thematic reviews on a number of SVF 
licensees in the coming months, taking into account the nature and size of their 
businesses. To assist SVF licensees in understanding and optimizing the 
performance of their screening systems, as well as preparing for the upcoming 
review, we are sharing key observations and good practices from a similar 
thematic review we have recently conducted in relation to the financial 


| Please refer to relevant documents including the Guideline on Anti-Money Laundering and Counter- 
Terrorist Financing (For Stored Value Facility Licensees) and the HKMA’s circulars on 31 January 
2018 (Anti-Money Laundering / Counter-Terrorist Financing: United Nations Sanctions) and 8 March 
2018 (FATF Guidance on Counter Proliferation Financing). 
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sanctions screening systems of Authorized Institutions (AIs). 

While sanctions compliance policies and risk appetite may differ between SVF 
licensees and Als, dependent on the particular business model, SVF licensees 
are encouraged to review the good practices provided at Annex and consider 


adopting such, as applicable, to help strengthen their ability to meet sanctions 
obligations. 


If you have any questions on this circular, please contact Mr Alex Chow at 


2878-8769 or Mr Dixon Lam at 2878-8721. 


Yours faithfully, 


Carmen Chu 
Executive Director (Enforcement and AML) 


Encl. 


Annex 


Feedback from Thematic Reviews of Als’ Sanctions Screening Systems 


Als should take adequate measures, which include effective sanctions screening 
systems which are appropriate to the nature and size of businesses, to meet their 
obligations under Hong Kong’s financial sanctions regime. These obligations, 
together with other relevant considerations, are set out in Chapter 6 of the Guideline 
on Anti-Money Laundering and Counter-Terrorist Financing (For AlIs)' (AML 
Guideline). It is the HKMA’s regulatory requirement on Als that sanctions screening 
should be conducted for new customers and payments as well as for existing 


customers whenever new designations are published’. 


This note provides feedback from thematic reviews conducted over the past few 
months and aims to provide further guidance to Als in implementing effective, 
risk-based screening systems. To provide greater clarity, specific regulatory 
expectations are included in text boxes and may be used by Als as self-assessment 
questions. Key observations are provided together with some examples of good 
practices for reference, while Als should note that these are not meant to be an 


exhaustive list for meeting regulatory expectations. 


Given the focus of the thematic review exercise, this note does not cover other aspects 
of effective sanctions risk management, for example, the quality of data input (for 
completeness and accuracy) or the quality of the data output (how matches are being 
investigated and escalation handled). AIs should make further reference to the AML 
Guideline and the HKMA Guidance Paper “Transaction Screening, Transaction 
Monitoring and Suspicious Transaction Reporting’ issued in December 2013, 


adopting a risk-based approach in implementation. 


' Chapter 6 ‘Financial Sanctions and Terrorist Financing’ 
? Paragraph 6.22 AML Guideline 
1 


1.1 


1.2 


1.3 





Als’ senior management should consider the risk of sanctions breaches and 
determine the appropriate level of sanctions screening to manage the risk 
for the AI 





Als should be able to demonstrate a proven methodology for determining 
system settings and performance, and which is consistent with compliance 
policies and risk appetite. This includes a thorough understanding of the risks, 
the types of customer the AI has and the geographic regions the customers are 
operating in. Most Als as examined in the thematic review were able to 
articulate their respective choices of system configuration and settings to 
varying degrees and some in great detail, while a few Als demonstrated 
over-reliance on the vendor and were only able to provide a more simplistic 
response, without being able to provide clear reasons why specific settings had 


been adopted. 


Where a group-wide policy is in place, Als must understand and be able to 
justify, in line with compliance policies and risk appetite, any variations in 
system settings or configuration adopted locally which impacts performance of 
the system. This applies to the lists and data which are entered into systems 
and against which screening is conducted and also the algorithms / rules utilised 
(referred to as “system filters’). Some variations were observed in the 
thematic review while a few Als were unable to adequately demonstrate how 
any deviation from the group-wide policy would affect the effectiveness and 
efficiency of its screening system, such as accuracy and number of alerts 


generated. 


While not included in the review, as additional guidance, Management 
Information (MI) should provide senior management with adequate information 
to understand the financial crime risks to which the AI may be exposed. In the 
context of sanctions risk management, this may include an overview of the 
sanctions risks to which the AI is exposed, the effectiveness of certain aspects of 
system performance, such as screening and relevant information regarding 


volume of alerts, details of false positives, genuine sanctions hits, etc. 


2.1 


3.1 


3.2 


3.3 





New systems, or upgrades to existing systems need to be thoroughly tested 
and tuned prior to deployment, with sufficient levels of reporting and 


oversight 





A few Als were not able to demonstrate that adequate testing had taken place 
before system deployment. Asa good practice, Als should take steps to satisfy 
themselves the system is appropriate and operating as expected before relying 
on automated screening systems. If an AI is upgrading an existing screening 
system, testing should be conducted prior to deployment to check that all system 
filters work properly and that the new system is an improvement over the old 


one. Als should document that testing and analysis have been duly conducted. 








Ongoing monitoring, tuning and testing should be conducted on all aspects 
of sanctions screening systems, lists and processes on a regular and frequent 


basis 





Als are expected to have an adequate understanding of their obligations under 
the sanctions regime in Hong Kong and, as applicable, in other jurisdictions in 
relation to Al’s international operations. Generally, most of the Als examined 


in the thematic review had an adequate understanding of the above obligations. 


Most Als carried out quality assurance work on the effectiveness of their 
sanctions systems, although frequency and intensity varied. Many Als had 
systems validated by external vendors and where this was the case, there was 
generally a better understanding of system / filter performance and the various 
factors underpinning such performance. Most Als in the review exercise 
expressed that system effectiveness was one of the more challenging areas to 
test, since it required dummy data to validate the end result. It should be noted 
that regardless of how testing is performed, the testing process should be 


independent and provide the level of validation required. 


With regards to frequency of testing, running a test once a year or every few 
years will not provide sufficient ongoing comfort that best efforts are being 
made to meet obligations. Testing must be performed frequently to maintain a 
system which is both effective and efficient, ensuring that latest sanctions list 


changes are tested and that system filters are operating within expectations”. 


3 The database of Als’ designated parties should be updated in a timely manner in accordance with 


Chapter 6 of the AML Guideline. 


3 





4.1 


4.2 


4.3 


4.4 


As revealed in the thematic review, a few AIs which did not carry out frequent 
testing and tuning internally were unable to demonstrate an adequate 
understanding of system filter performance and had not collated the necessary 


information and data to make correct decisions with regards to system settings. 








Als are expected to have a clear and demonstrable understanding of the 
system filters utilised in their screening technology, and to employ / equip 
staff with the right skills and knowledge to support the deployment of 


effective sanctions screening systems 





Many Als as examined in the review had developed appropriate internal training 
programmes for staff in key roles. During the post-test interviews, these Als 
with training programmes and relevant subject matter expertise demonstrated a 
more thorough understanding of system filter performance. It was apparent in a 
few other interviews, however, that staff had not been provided with the right 


skills to support effective system deployment. 


Most Als in the review exercise were able to clearly describe specific decisions 
around the lists their system operated and the filters employed. Explanations for 
each setting within the system should be properly documented. The review also 
revealed a few Als that had limited knowledge of system filter performance or 


whether certain sanctions lists were in scope of the screening system or not. 


There should also be clarity around ownership and accountability of the risk and 
which functions, compliance or information technology units, should contribute 
to managing that risk, for example, by ensuring that sanctions lists are kept up to 
date. 


Suppression (or good guy/false hit) lists should be subject to particularly robust 
oversight. The reason for the inclusion of each entry should be documented 
properly, and these lists should be subject to regular maintenance and reviews. 
Appropriate approval should also be sought with respect to these regular reviews, 


as well as prior to the inclusion of any entry into these lists. 





Did 





Als are expected to conduct ongoing tuning of system filters to reduce the 


level of false positives without compromising effectiveness 





Als should understand their required level of effectiveness based on risk appetite, 
but should at the same time tune the system for greater efficiency where possible. 
Most Als in the review understood the competing relationship between 
effectiveness and efficiency of the system and could evidence this understanding 
through actions such as monitoring levels of false positives. In those Als where 
there was proactive and ongoing fine tuning to achieve greater efficiency, there 
was also a more comprehensive understanding of how the system, and the filters 
employed, operated. Ina few Als we noted high volumes of alerts, and where 
there were great dependency on vendor support and a general lack of awareness 


of the need for system optimization in one or two cases. 


